STIG-Partitioned Enterprise Linux (spel) is a project that helps create and
publish Enterprise Linux images that are partitioned according to the
DISA STIG. The resulting images also use LVM to simplify volume management.
The images are configured with help from the scripts and packages in the
AMIgen7, and AMIgen8 projects.
VMs' root filesystems are generally not live-repartitionable once launced from
their images. As a result, if a STIG-scan is performed against most of the
community-published images for Red Hat and CentOS, those scans will note
failures for each of the various "${DIRECTORY} is on its own filesystem"
tests. The images produced through this project are designed to ensure that
these particular scan-failures do not occur.
Aside from addressing the previously-noted partitioning findings, spel does not apply any STIG-related hardening. The spel-produced images are expected to act as a better starting-point in a larger hardening process.
If your organization does not already have an automated hardening process, please see our tool, Watchmaker. This tool is meant to help spel-users (and users of other Enterprise Linux images) by performing launch-time hardening activities.
We've added an FAQ to the project. Hopefully, your questions are answered there. If they aren't, please feel free to submit an issue requesting an appropriate FAQ entry.
SPEL AMIs are published monthly. The AMI table below contains links to the AWS Console that search by AMI Name and sort the result by creation date. The most recent AMI of each build will be at the top when viewed in the AWS Console.
RPM Manifests for published images are available in the manifests directory.
| Vagrant Cloud Name | Vagrant Provider |
|---|---|
| plus3it/spel-minimal-centos-7 | virtualbox |
With the move from CentOS 8 to CentOS Stream 8, the CentOS 8 images are deprecated. While they remain public for the moment, they are no longer updated and the CentOS org may remove the yum repos at their discretion.
| AWS Region | Builder Name / Link |
|---|---|
| us-east-1 | spel-minimal-centos-8-hvm |
| us-east-2 | spel-minimal-centos-8-hvm |
| us-west-1 | spel-minimal-centos-8-hvm |
| us-west-2 | spel-minimal-centos-8-hvm |
| us-gov-west-1 | spel-minimal-centos-8-hvm |
| us-gov-east-1 | spel-minimal-centos-8-hvm |
The default username for all spel images is maintuser.
If you wish to change the default username at launch, you can do so via cloud-init
with userdata something like the following. Change <USERNAME> to your desired
value.
#cloud-config
system_info:
default_user:
name: <USERNAME>
gecos: spel default user
lock_passwd: true
sudo: ["ALL=(root) NOPASSWD:ALL"]Packer by Hashicorp is used to manage the process of building
images.
-
Download and extract
packerfor your platform. Add it to your PATH, if you like. On Linux, watch out for otherpackerexecutables with the same name... -
If building AMIs for Amazon Web Services, ensure your AWS credentials are configured. You do not really need the
awscli utility, but it is a convenient way to configure the credential file. You can also export the environment variables. Or, if runningpackerin an EC2 instance, an instance role with the requisite permissions will also work. See thepackerdocs for details on the necessary permissions.NOTE: No packer templates in this project will contain variables for AWS credentials; this is intentional, to avoid mistakes where credentials get committed to the repository. Instead,
packerknows to read the credentials from the credential file or from the environment variables, or to retrieve them from the instance role. See the docs. -
If building VirtualBox image(s), you will need to install VirtualBox and Vagrant.
-
If building VMware image(s), depending on your platform, you will need to install either VMware Fusion, VMware Workstation Pro, or VMware Player. For all platforms, you will also need Vagrant.
-
The template(s) push the Vagrant boxes for the VirtualBox and VMware images to Hashicorp Vagrant Cloud, which requires a Vagrant Cloud account.
-
If building a VHD or Image for Azure, ensure you have authorized access to ARM. The creation of destination objects and a Service Principal can either be done manually or via script. If not building in Public region, use of device login is not possible and a Service Principal is required.
NOTE: In all steps below, the examples use syntax that works on Linux. If you
are running packer from a Windows system, simply use the appropriate syntax
for the relative path to the packer template. Most important, for Windows,
use .\ preceding the path to the template. E.g.
.\spel\minimal-linux.json.
-
Clone the repository:
git clone https://github.com/plus3it/spel && cd spel
-
Validate the template (Optional):
packer validate spel/minimal-linux.pkr.hcl
-
Begin the build. This requires at least two variables,
spel_identifierandspel_version. See the section Packer Variables for more details.packer build \ -var 'spel_identifier=unique-project-id' \ -var 'spel_version=dev001' \ -var 'virtualbox_vagrantcloud_username=myvagrantclouduser' \ spel/minimal-linux.pkr.hclNOTE: This will build images for all the builders defined in the template. Use
packer build --helpto see how to restrict the build to to a subset of the builders using the-onlyor-exceptarguments.If building the VirtualBox or VMware images for use with Vagrant, the template is configured to host the resulting images with Hashicorp Vagrant Cloud. This requires passing the variable
virtualbox_vagrantcloud_usernameand exporting the environment variableVAGRANT_CLOUD_TOKEN.
The Minimal Linux template builds STIG-partitioned images with a set of packages that correspond to the "Minimal" install option in Anaconda. Further, the AWS images include a handful of additional packages that are intended to increase functionality in EC2 and make the images more comparable with Amazon Linux.
- Template Path:
spel/minimal-linux.pkr.hcl
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| spel_identifier | Namespace that prefixes the name of the built images | string |
n/a | yes |
| spel_version | Version appended to the name of the built images | string |
n/a | yes |
| amigen7_filesystem_label | Label for the root filesystem when creating bare partitions for EL7 images | string |
"" |
no |
| amigen7_package_groups | List of yum repo groups to install into EL7 images | list(string) |
[ |
no |
| amigen7_package_manifest | File containing a list of RPMs to use as the build manifest for EL7 images | string |
"" |
no |
| amigen7_repo_names | List of yum repo names to enable in the EL7 builders and images | list(string) |
[ |
no |
| amigen7_repo_sources | List of yum package refs (names or urls to .rpm files) that install yum repo definitions in EL7 builders and images | list(string) |
[ |
no |
| amigen7_source_branch | Branch that will be checked out when cloning AMIgen7 | string |
"master" |
no |
| amigen7_source_url | URL that will be used to clone AMIgen7 | string |
"https://github.com/plus3it/AMIgen7.git" |
no |
| amigen7_storage_layout | List of colon-separated tuples (mount:name:size) that describe the desired partitions for LVM-partitioned disks on EL7 images | list(string) |
[ |
no |
| amigen8_filesystem_label | Label for the root filesystem when creating bare partitions for EL8 images | string |
"" |
no |
| amigen8_package_groups | List of yum repo groups to install into EL8 images | list(string) |
[ |
no |
| amigen8_package_manifest | File containing a list of RPMs to use as the build manifest for EL8 images | string |
"" |
no |
| amigen8_repo_names | List of yum repo names to enable in the EL8 builders and EL8 images | list(string) |
[ |
no |
| amigen8_repo_sources | List of yum package refs (names or urls to .rpm files) that install yum repo definitions in EL8 builders and images | list(string) |
[ |
no |
| amigen8_source_branch | Branch that will be checked out when cloning AMIgen8 | string |
"master" |
no |
| amigen8_source_url | URL that will be used to clone AMIgen8 | string |
"https://github.com/plus3it/AMIgen8.git" |
no |
| amigen8_storage_layout | List of colon-separated tuples (mount:name:size) that describe the desired partitions for LVM-partitioned disks on EL8 images | list(string) |
[] |
no |
| amigen_amiutils_source_url | URL of the AMI Utils repo to be cloned using git, containing AWS utility rpms that will be installed to the AMIs | string |
"" |
no |
| amigen_aws_cfnbootstrap | URL of the tar.gz bundle containing the CFN bootstrap utilities | string |
"https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz" |
no |
| amigen_aws_cliv1_source | URL of the .zip bundle containing the installer for AWS CLI v1 | string |
"" |
no |
| amigen_aws_cliv2_source | URL of the .zip bundle containing the installer for AWS CLI v2 | string |
"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" |
no |
| amigen_build_device | Path of the build device that will be partitioned to create the image | string |
"/dev/nvme0n1" |
no |
| amigen_extra_rpms | List of package specs (rpm names or URLs to .rpm files) to install to the builders and images | list(string) |
[ |
no |
| amigen_fips_disable | Toggles whether FIPS will be disabled in the images | bool |
false |
no |
| amigen_grub_timeout | Timeout value to set in the grub config of each image | number |
1 |
no |
| amigen_use_default_repos | Modifies the behavior of amigen_repo_names. When true, amigen_repo_names are appended to the enabled repos. When false, amigen_repo_names are used exclusively |
bool |
true |
no |
| aws_ami_groups | List of groups that have access to launch the resulting AMIs. Keyword all will make the AMIs publicly accessible |
list(string) |
[] |
no |
| aws_ami_regions | List of regions to copy the AMIs to. Tags and attributes are copied along with the AMIs | list(string) |
[] |
no |
| aws_ami_users | List of account IDs that have access to launch the resulting AMIs | list(string) |
[] |
no |
| aws_force_deregister | Force deregister an existing AMI if one with the same name already exists | bool |
false |
no |
| aws_instance_type | EC2 instance type to use while building the AMIs | string |
"t3.2xlarge" |
no |
| aws_region | Name of the AWS region in which to launch the EC2 instance to create the AMIs | string |
"us-east-1" |
no |
| aws_source_ami_filter_centos7_hvm | Object with source AMI filters for CentOS 7 HVM builds | object({ |
{ |
no |
| aws_source_ami_filter_centos8stream_hvm | Object with source AMI filters for CentOS Stream 8 HVM builds | object({ |
{ |
no |
| aws_source_ami_filter_ol8_hvm | Object with source AMI filters for Oracle Linux 8 HVM builds | object({ |
{ |
no |
| aws_source_ami_filter_rhel7_hvm | Object with source AMI filters for RHEL 7 HVM builds | object({ |
{ |
no |
| aws_source_ami_filter_rhel8_hvm | Object with source AMI filters for RHEL 8 HVM builds | object({ |
{ |
no |
| aws_ssh_interface | Specifies method used to select the value for the host in the SSH connection | string |
"public_dns" |
no |
| aws_subnet_id | ID of the subnet where Packer will launch the EC2 instance. Required if using an non-default VPC | string |
null |
no |
| aws_temporary_security_group_source_cidrs | List of IPv4 CIDR blocks to be authorized access to the instance | list(string) |
[ |
no |
| azure_build_resource_group_name | Existing resource group in which the build will run | string |
null |
no |
| azure_client_id | Application ID of the AAD Service Principal. Requires either client_secret, client_cert_path or client_jwt to be set as well | string |
null |
no |
| azure_client_secret | Password/secret registered for the AAD Service Principal | string |
null |
no |
| azure_cloud_environment_name | One of Public, China, Germany, or USGovernment. Defaults to Public. Long forms such as USGovernmentCloud and AzureUSGovernmentCloud are also supported | string |
"Public" |
no |
| azure_custom_managed_image_name_centos7 | Name of a custom managed image to use as the base image for CentOS7 builds | string |
null |
no |
| azure_custom_managed_image_name_rhel7 | Name of a custom managed image to use as the base image for RHEL7 builds | string |
null |
no |
| azure_custom_managed_image_resource_group_name_centos7 | Name of the resource group for the custom image in azure_custom_managed_image_name_centos7 |
string |
null |
no |
| azure_custom_managed_image_resource_group_name_rhel7 | Name of the resource group for the custom image in azure_custom_managed_image_name_rhel7 |
string |
null |
no |
| azure_image_offer | Name of the publisher offer to use for your base image (Azure Marketplace Images only) | string |
null |
no |
| azure_image_publisher | Name of the publisher to use for your base image (Azure Marketplace Images only) | string |
null |
no |
| azure_image_sku | SKU of the image offer to use for your base image (Azure Marketplace Images only) | string |
null |
no |
| azure_keep_os_disk | Boolean toggle whether to keep the managed disk or delete it after packer runs | bool |
false |
no |
| azure_location | Azure datacenter in which your VM will build | string |
null |
no |
| azure_managed_image_resource_group_name | Resource group name where the result of the Packer build will be saved. The resource group must already exist | string |
null |
no |
| azure_private_virtual_network_with_public_ip | Boolean toggle whether a public IP will be assigned when using azure_virtual_network_name |
bool |
null |
no |
| azure_subscription_id | n/a | string |
null |
no |
| azure_virtual_network_name | Name of a pre-existing virtual network in which to run the build | string |
null |
no |
| azure_virtual_network_resource_group_name | Name of the virtual network resource group in which to run the build | string |
null |
no |
| azure_virtual_network_subnet_name | Name of the subnet in which to run the build | string |
null |
no |
| azure_vm_size | n/a | string |
"Standard_DS5_v2" |
no |
| openstack_flavor | ID, name, or full URL for the desired flavor for the server to be created | string |
null |
no |
| openstack_floating_ip_network_name | ID or name of an external network that can be used for creation of a new floating IP | string |
null |
no |
| openstack_insecure | Boolean whether the connection to OpenStack can be done over an insecure connection | bool |
false |
no |
| openstack_networks | List of networks by UUID to attach to this instance | list(string) |
[] |
no |
| openstack_security_groups | List of security groups by name to add to this instance | list(string) |
[] |
no |
| openstack_source_image_name | Name of the base image to use | string |
null |
no |
| spel_description_url | URL included in the AMI description | string |
"https://github.com/plus3it/spel" |
no |
| spel_http_proxy | Used as the value for the git config http.proxy setting in the builder nodes | string |
"" |
no |
| spel_root_volume_size | Size in GB of the root volume | number |
20 |
no |
| spel_ssh_username | Name of the user for the ssh connection to the instance. Defaults to spel, which is set by cloud-config userdata. If your starting image does not have cloud-init installed, override the default user name |
string |
"spel" |
no |
| virtualbox_iso_url_centos7 | URL to the CentOS7 .iso to use for Virtualbox builds | string |
"http://mirror.cs.vt.edu/pub/CentOS/7/isos/x86_64/CentOS-7-x86_64-Minimal-2009.iso" |
no |
| virtualbox_iso_url_centos8 | URL to the CentOS8 .iso to use for Virtualbox builds | string |
"http://mirror.cs.vt.edu/pub/CentOS/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso" |
no |
| virtualbox_vagrantcloud_username | Vagrant Cloud username, used to namespace the vagrant boxes | string |
null |
no |
The Minimal Linux packer template includes the following builders:
| Builder Name | Description |
|---|---|
amazon-ebs.minimal-centos-8stream-hvm |
amazon-ebs builder for a minimal CentOS Stream 8 HVM AMI |
amazon-ebs.minimal-rhel-8-hvm |
amazon-ebs builder for a minimal RHEL 8 HVM AMI |
amazon-ebs.minimal-centos-7-hvm |
amazon-ebs builder for a minimal CentOS 7 HVM AMI |
amazon-ebs.minimal-rhel-7-hvm |
amazon-ebs builder for a minimal RHEL 7 HVM AMI |
azure-arm.minimal-centos-7-image |
azure-arm builder for a minimal CentOS 7 Image |
azure-arm.minimal-rhel-7-image |
azure-arm builder for a minimal RHEL 7 Image |
openstack.minimal-centos-7-image |
openstack builder for a minimal CentOS 7 Image |
virtualbox-iso.minimal-centos-7-image |
virtualbox-iso builder for a minimal CentOS 7 Vagrant Box |
The Minimal Linux packer template includes the following post-provisioners:
-
vagrant: The vagrant post-provisioner creates vagrant boxes from on thevirtualboxandvmwareimages. -
vagrant-cloud: The vagrant-cloud post-provisioners upload the vagrant boxes to Hashicorp Vagrant Cloud.
To build images for the AWS US GovCloud regions, us-gov-west-1 or us-gov-east-1,
it is necessary to pass several variables that are specific to the region. The
AMI filters below have been tested and/or created in us-gov-west-1 to work with the
spel template(s). Also, the builders should be restricted so as not to build
the Vagrant images.
packer build \
-var 'spel_identifier=unique-project-id' \
-var 'spel_version=dev001' \
-var 'aws_region=us-gov-west-1' \
-var 'aws_source_ami_filter_centos7_hvm={name = "*-Recovery (No-LVM)-ACB-CentOS7-HVM-SRIOV_ENA", owners = ["039368651566"]}' \
-var 'aws_source_ami_filter_centos8stream_hvm={name = "spel-bootstrap-centos-8stream-hvm-*.x86_64-gp2", owners = ["039368651566"]}' \
-exclude 'virtualbox-iso.*' \
spel/minimal-linux.pkr.hclA source Marketplace Image Offer or Custom Image Name and Resource Group are required from which to start the SPEL Azure build.
The resultant SPEL Image will be configured to use the Azure Linux agent, WALinuxAgent
per recommended configurations. Currently, the use of cloud-init exclusively
does not enable execution/installation of Azure VM Extensions. The below
variables also disable FIPS mode in the resultant SPEL VHD or Image. Currently,
the Azure Linux agent does not support FIPS mode when utilizing Azure VM
Extensions. If no plans exist to utilize Azure VM Extensions on VMs provisioned
from SPEL VHDs or Images, FIPS mode can be enabled, but the waagent configuration
must also be modified accordingly.
The variables referenced in the packer builds below should be modified with appropriate parameters for your environment. Any content between and including the < and > characters should be replaced.
Login to azure using the az cli. Packer will use the session setup by the az cli.
packer build \
-var 'spel_identifier=unique-project-id' \
-var 'spel_version=0.0.1' \
-var 'amigen_extra_rpms=["WALinuxAgent"]' \
-var 'amigen_fips_disable=true' \
-var 'amigen7_repo_names=["rhui-microsoft-azure-rhel7"]' \
-var 'azure_image_offer=rhel-raw' \
-var 'azure_image_publisher=RedHat' \
-var 'azure_image_sku=7-raw' \
-var 'azure_managed_image_resource_group_name=<resource group short name>' \
-only 'azure-arm.minimal-rhel-7-image' \
spel/minimal-linux.pkr.hclTo build images for an OpenStack environment, it is necessary to pass several variables that are specific to the environment. The CentOS 7 Generic Cloud image has been tested to work with the spel template(s). Also, the builders should be restricted so as not to build the Vagrant images.
source your_openstack_credentials_file.sh
packer build \
-var 'spel_identifier=spel' \
-var 'spel_version=0.0.1' \
-var 'openstack_insecure=false' \
-var 'openstack_flavor=your_flavor_name_for_temporary_instance' \
-var 'openstack_floating_ip_network=your_provider_network_name' \
-var 'openstack_networks=your_network_id_for_temporary_instance,second_network_id,etc.' \
-var 'openstack_security_groups=your_security_group_name_for_temporary_instance,second_sg_name,etc.' \
-var 'openstack_source_image_name=your_source_image_name' \
-only 'openstack.*' \
spel/minimal-linux.pkr.hclFor expected values, see links below:
- openstack_allow_insecure (true|false)
- openstack_flavor_name (string)
- openstack_floating_ip_network_name (string)
- openstack_network_ids (comma-separated list of strings)
- openstack_security_group_names (comma-separated list of strings)
- openstack_source_image_name (string)
The spel automation leverages the AMIgen7 project as a build-helper for creation of Amazon Machine Images. Due to the closely-coupled nature of the two projects, it's recommended that any changes made to AMIgen7 be tested with spel prior to merging changes to the AMIgen master branch.
To facilitate this testing, the runtime-variable amigen7_source_branch was added
to spel. Using this runtime-variable, in combination with the amigen7_source_url
runtime-variable, allows one to point spel to a fork/branch of AMIgen7 during a
integration-test build. To test, update your packer invocation by adding elements
like:
packer build \
-var 'amigen7_source_url=https://github.com/<FORK_USER>/AMIgen7.git' \
-var 'amigen7_source_branch=IssueNN' \
...
minimal-linux.pkr.hcl
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "mergify[bot]")
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "dependabot-preview[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent